Apps using a vulnerable NuGet package will get served the patched Assembly via GAC Publisher Policy.

Conclusions

I am now more confident that using NuGet packages I get critical updates for my applications when needed when Windows Update is used.

But: I would like to see a more recent document about the treatment of Security issues in NuGet. (Pease leave a comment if you have something and I will update the post). And I would like to know why the NuGet package feed list is empty.